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(54) Strong authentication method using a telecommunications device 



(57) There is described a method of obtaining strong 
autlientioation for a remote networl<, by way of the re- 
mote network generating a security code, and transmit- 



ting this code to a user, via a separate connection (for 
example, via a mobile telephone). 

This security code being used by the user to gain 
access to the remote network. 
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Description 

[0001] The present invention relates to a strong au- 
tlientication metliod using a teiecommunications de- 
vice, for exampie, mobiie plione or a pager Strong au- 
thentication requires the use of a security token. Spe- 
cialised security toi<ens are provided wheneverthe need 
for secure access to a remote networl< iocation is re- 
quired, for exampie, when accessing a bank account 
over the internet. 

[0002] A security token is conventionally a device by 
which means a user can prove to the remote network 
site which they wish to access their identity. Strong au- 
thentication requires the combination of a username, 
password and a security token, and Is used when au- 
thentication by means of a username and password 
alone Is not sufficient for security purposes. 
[0003] Conventional security token devices are typl- 
caiiy specialised devices and are consequently often ex- 
pensive. In addition, they are normally notfamlllartothe 
user community and so are often difficult to use. Fur- 
thermore, the tokens may themselves be lost or dam- 
aged, 

[0004] For users who possess a mobile phone, pager 
or other data communication means having a visual dis- 
play, a means to provide strong authentication can be 
established without the use of a dedicated security to- 
ken device. 

[0005] An authentication process to provide a user 
with strong authentication, comprising the steps of:- 

(I) establishing a connection from a terminal device 
to a remote network^lnternet site; 

(II) entering a user password and communicating 
the user password from the terminal device to the 
remote site through said connection; 

(iii) generating at the remote site, on receipt of the 
password, an authentication security code; 

(iv) establishing a second connection from the re- 
mote site to the user, the second connection being 
separate from said first connection; 

(v) transmitting security code to the user through 
said second connection; 

(vi) entering the security code at the terminal device 
and transmitting the security code from the terminal 
device to the remote site through said first connec- 
tion; 

(vli) comparing the security code entered at the ter- 
minal device with the security code previously gen- 
erated by the remote site; and 

(vlll) providing authentication on correct compari- 



son. 

The invention seeks to provide a strong authentication 
method using a telecommunications device for a user 
5 accessing a remote server or host from a terminal by 
means of a network, the user having a telecommunica- 
tions device with a display, the strong authentication 
method comprising: 

10 the user connecting to the server or host; 

the server or host requesting login data from the us- 
er; 

the server or host correlating said login data with 
data held In a database representing the telephone 
'5 number of said telecommunications device; 

the server or host generating a security PIN and 
communicating said PIN to said telecommunica- 
tions device; 

the user receiving said PIN from said telecommunl- 
20 cations device and entering said PIN Into said ter- 
minal; 

the PIN entered by said user being compared with 
the PIN generated by said server or host; 
wherein if the PIN entered by the user and the PIN 
25 generated by said server or host match then the us- 
er is allowed access to said remote server or host 
or to software accessed via said remote server/ 
host. 

30 [0006] Preferably, the PIN entered by the userandthe 
PIN generated by the server or host Is compared by soft- 
ware running at the server or host. 
[0007] Preferably, the telecommunications device Is a 
mobile phone or pager. 
35 [0008] Preferably the PIN Is a generated randomly by 
means of a suitable software algorithm. 
[0009] More preferably, the PIN is generated for sin- 
gle or one-time use. 

[0010] Preferably, the PIN is communicated to the tel- 
40 ecommunications device by the server or host in the 
form of a text message. 

[001 1 ] Preferably, the sen/er or host Is a workstation 

or internet site. 

[0012] The present example will be further illustrated 
45 by way of example, with reference to the accompanying 
drawing In which the single Figure is a diagram illustrat- 
ing the strong authentication process. 
[0013] As Illustrated, a user, having a telecommuni- 
cations device 5 with a display, connects to a remote 
50 server/host 3 via a network 2 (for example a LAN , WAN 
or an Internet site) via suitable terminal-type device 1 , 
for example a PC or workstation. The telecommunica- 
tions device 5 may, for example, be a mobile telephone 
or pager, or other portable communications type device 
55 which has an access code or PIN known to the user to 
restrict unauthorised use. 

[001 4] The remote server/host 3 accessed by the user 
then executes a software login routine to prompt the us- 
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erfor login data, for example, a username and/or pass- 
word. The login routine includes a suitable algorithm to 
correlate the user login data with a telephone number 
stored in a suitable database and which corresponds to 
the user's telecommunication device 5. The database 
may be stored on the server/host itself or may be re- 
motely stored and be accessed by the server/host. 
[001 5] The remote server/host 3 generates a security 
PIN number, for example a "one-time use" PIN, by 
means of a suitable software algorithm such as, for ex- 
ample, may be used to generate random numbers. The 
security PIN is then sentvia the telecommunication net- 
work 4 to the telecommunications device 5, for example, 
as a text message which is displayed on the display of 
the telecommunications device 5. 
[0016] The user is thus notified of the security PIN by 
the telecommunication devices. The user enters the se- 
curity PIN at the terminal 1 and the security PIN data 
entered by the user is then compared by the server/host 
3 with the security PIN generated by the server/host 3. 
If the two entries match, then the user is authenticated 
to the remote server/host 3. The security PIN commu- 
nicated via the telecommunications network to the tele- 
communication devices, proves the user's identity. The 
telecommunications device 5, thus acts as a "security 
token" to prove the user's identity and authorise the us- 
er's access to the remote server/host. 
[0017] It can thus be seen that the security token pro- 
vided in accordance with the present invention exhibits 
many substantial advantages over the prior art devices 
and pennits a user to be identified and their access to 
a remote server/host authenticated over a network with- 
out the requirement for additional security token devic- 
es. 

[0018] While the above embodiment has been cho- 
sen to Illustrate the present invention, it will be apparent 
to those skilled in the art from this disclosure that various 
changes and modifications can be made herein without 
departing from the scope of the invention. 



Claims 

1 . An authentication process to provide a user with 
strong authentication, comprising the steps of:- 

(I) establishing a connection from a tenninal de- 
vice to a remote network/Internet site; 

(II) entering a user password and communicat- 
ing the user password from the terminal device 
to the remote site through said connection; 
(ill) generating at the remote site, on receipt of 
the password, an authentication security code; 

(iv) establishing a second connection from the 
remote site to the user, the second connection 
being separate from said first connection; 

(v) transmitting security code to the user 
through said second connection; 



(vi) entering the security code at the terminal 
device and transmitting the security code from 
the terminal device to the remote site through 
said first connection; 
5 (vii) comparing the security code entered at the 

terminal device with the security code previous- 
ly generated by the remote site; and 
(viii) providing authentication on correct com- 
parison. 

10 

2. Authentication process which provides a strong au- 
thentication using a telecommunications device to 
perniit a user to access a remote serveror host from 
a temninal by means of a network, the user having 

15 a telecommunications device with a display, the au- 
thentication process comprising the steps of: 

the user connecting to the server or host; 
the server or host requesting login data from 
20 the user; 

the server or host correlating said login data 
with data held in a database representing the 
telephone number of said telecommunications 
device; 

25 the server or host generating a security PIN and 

communicating said PIN to said telecommuni- 
cations device; 

the user receiving said PIN from said telecom- 
munications device and entering said PIN into 

30 said terminal; 

the PIN entered by said user being compared 
with the PIN generated by said server or host; 
wherein If the PIN entered by the user and the 
PIN generated by said server or host match 

35 then the user is allowed access to said remote 

server or host or to software accessed via said 
remote server/host. 

3. Authentication process as claimed in Claim 2, 
40 wherein the telecommunications device is a mobile 

phone or pager. 

4. Authentication process as claimed in any preceding 
claim, wherein the PIN entered by the user and the 

45 PIN generated by the server or host is compared by 
software running at the server or host. 

5. Authentication process as claimed in any preceding 
claim, wherein the PIN is a generated randomly by 

50 means of a suitable software algorithm. 

6. Authentication process as claimed in any preceding 
claim, wherein the PIN is generated for single or 
one-time use. 

55 

7. Authentication process as claimed in any preceding 
claim, wherein the PIN is communicated to the tel- 
ecommunications device by the server or host in the 
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form of a text message. 

8. Authentication process as claimed in any preceding 
claim, wherein the server or host is a worl<station or 

internet site. 5 

9. Authentication process substantiaiiy as herein be- 
fore described with reference to the accompanying 
figure. 

10 



15 



20 



25 



30 



40 



45 



50 



55 



4 



EP 1 107 089 A1 




EP 1 107 089 A1 



European Patent 
Oflice 



EUROPEAN SEARCH REPORT 



EP 00 31 1024 



DOCUMENTS CONSIDERED TO BE RELEVANT 



EP 0 844 551 A (VENEKLASE BRIAN J) 
27 May 1998 (1998-05-27) 

* column 1, line 27 - line 49 * 

* column 7, line 29 - column 9, line 25 * 

* figure 6 * 

WO 95 19593 A (KEW MICHAEL JEREMY ;LOVE 

JAMES SIMON (GB)) 

20 July 1995 (1995-07-20) 

* page 7, line 34 - page 9, line 11 * 

* figure 1 * 



as been drawn up for all claims 



TECHNICAL RELDS 



20 March 2001 



CATEGORY OF CITED DOCUMENTS 

< : particularly relevant if taken alone 



orjirliidple ami 



EP 1 107 089 A1 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 00 31 1024 



This annex lists the patent familj' membersrelating to the patent documents cited ii 
The members are as contained in the European Patent Office EDP file on 
The European Patent Office is in no way iiable for these particulars which are mareiy given for the 



European search report, 
of information. 

20-03-2001 



1390395 A 
2300288 A 



01-08-1995 
30-10-1996 



le European Patent Office, No. 1 



7 



